FEDERAL BUREAU OF INVESTIGATION 
FOI/PA DELETED PAGE INFORMATION SHEET 
FOIPA Request No.: 1402995 000 
CivilAction No.: 19-cv-1495 


Total Withheld Page(s) = 25 


Bates Page Reference 

Reason for Withholding 

(i.e., exemptions with coded rationale, 
duplicate, sealed by order of com1, etc.) 

FBI(19-cv-1495)-19 

(b)(7)(E)-1 

FBI(19-cv-1495)-32 

(b)(6)/(b)(7)(C)-l, 3 

FBI(19-cv-1495)-49 

(b)(3)-l: (b)(6)/(b)(7)(C)-l 

FBI(19-cv-1495)-50 

(b)(3)-l; (b)(6)/(b)(7)(C)-3 

FBI(19-cv-1495)-52 

(b)(3)-l;(b)(6)/(b)(7)(C)-l,4 

FBI(19-cv-1495)-65 

(b)(3)-L (b)(6)/(b)(7)(C)-l. 5 

FBI(19-cv-1495)-69 

(b)(6)/(b)(7)(C)-l, 3; (b)(7)(E)-l 

FBI(19-cv-1495)-70 

(b)(6)/(b)(7)(C)-l, 2, 5; (b)(7)(E)-l 

FBI(19-cv-1495)-72 

(b)(6)/(b)(7)(C)-l: (b)(7)(E)-l 

FBI(19-cv-1495)-73 tlmi FBI(19-cv-1495)-88 

(b)(7)(E)-1_ 


xxxxxxxxxxxxxxxxxxxxxx 

X Deleted Page(s) X 

X No Duplication Fee X 

X For this Page X 

XXXXXXXXXXXXXXXXXXXXXX 








































System Data: 

Hardware/configuration (CPU): Various 
Operating System: Various - , 

Software: Various > ■' 

Security Features: 

Security Software Installed: x yes (identify firewalls, router) 

Logon Warning Banner: x yes no 

INTRUSION INFORMATION 

Access for intrusion: x Internet connection □ dial-up number □ LAN (insider) 

If Internet: Internet address: TBD 

Network name: TBD 

Method: 

The individual who caused the intrusion first performed a port scan on their 
system identifying the vunerable ports. Once he identified the vunerable ports he performed an 
exploit on the ports gaining access the the outer network. Once inside he was able to obtain 
employees userids' and social security numbers. He activated guessed the password of a former 
employee's .userid and gained access to the internal network. Once inside he left a password 
behind so that he could access the system at a later date. He also left his name behind in another 
system as a type of fingerprint that he had been there. The hacker, Adrian Lamo, held a press 
conference and admitted to committing the hack. 

Path of intrusion: TBD 

addresses: 1. TBD 




FBI(19-cv-1495)-3 






To: Counterterrorism 

_ SAC, New Yor^ 

Re: 




Date 01/23/2002 



b3 -2 
b7E -3; 


Operating System; 
Software: 


Impact: 


Compromise of classified information: □ yes x no 
Estimated number of computers affected; 4 
Estimated dollar loss to date; over $5000 


Category of Crime: 

Impairment: 

X Malicious code inserted 
Denial of service 

Destruction of information/software 
X Modification of information/software 


Intrusion: 

X Unauthorized access 
□ Exceeding authorized access 


Theft of Information: 

O Classified informaticn compromised 
X Unclassified information compromised 
X Passwords obtained 
Computer processing time obtained 
Telephone services obt^ned 
Application software obtained 
Operating software obtained 


Have spoken witli 


REMARKS 


bf the Southern District of New York and complaintant. 


b6 -4 
b7C -4 


♦ ♦ 
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FD -340 (Rev. 3 - 8 - 01 ) 


SJniversai Case File Number _ 

Field Office Acquiring Evidence 

Serial # of Originating Document _ 

Date Received ^ 2.06^ 


iU-L IMFCK-iaTIOH C21TIAIHE: 
rZEREIH IS UITCIASSIFIED 
E'ATE 02-13-2010 3ir €0524 UC 


b6 -1 
b7C -1 



b3 -2 
b7E -3 



b7D -3 


(Name of Contributor) 


(Adless of Contributor) 


(City and State) 


To Be Returned Ci Yes !p No 

Receipt Given LD Yes 13 No 

Grand Jury Material - Disseminate Oj ily Pursuant to Rule 6 (e) 

F^eral Rules of Criminal Procedure 

□ Yes □ No 

Federal Taxpayer Information (FTI) 

□ Yes P No 

Title: LAf^Oj 

MV T/^ey ^\/icr/H 


b6 -1 
b7C -1 


Reference' 


(Communication Enclosing Material) 


Description: [13 Original notes re interview of 



b7D -1 


-'ix 
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b6 -1 1 
b7C -1 


2.LL iMrcpyATicir xi'rrAi?rE;' 

SEREIN IS railRSSiriEl: 

"ATE Q2-13-2Q1Q EY <50324 UC 

DOC LAB NOTE 

DOCUMENT(S) 
CANNOT 

BE SCANNED 

. ) 

DESCRIPTION: 


C- D- Ro/t~) 


FBI(19-cv-1495)-7 





FD-340 (7-19-00) 


b6 -1 
hlC -1 


all I1'TFCPL'L2iTICH CCMTAItTEL 
SEREIN IS unclassified 
DATE 02-IS-2010 Ei CJC 


Vnivenal Case File Number 


Field OiYIce Acquiring Evidence 




Serial # of Originating Document 


Date Received * IH ‘ 0 * 2 ^ 

From 


(Name of Contributor) 


yjocibo^ _ 

(Address of Contributor) 


b3 -2 
b7E -3 


b6 -2 
b7C -2 


(Ci^ and State) 


By ___ 

To Be Returned D Yes B^o 

Receipt (Siven D Q—No 

Grand Jury Material - Disseminate Only Pursuant to Rule 6 (e) 

Federal Rules of Criminal Procedure 

□ Yes B-No 

Federal Taxpayer biformation GTi) 

n Yes Q'^o 

Title: 


Reference: 


(Communicatioa Enclosing N&iterial) 


Description: Q 

3^Original notes re interview of 
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b7C -2 
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FD-340 (7-19-00) 


ALL IHFCPLfiTICN LCHTAItTEi:' 
r-iSRFIH IS UIICLASSIFIEI 

:atc 02-1S-2010 Ei 


Universal Case File Numberl 


Field OiVIce Acquiring Evidence 


mo 


Serial# of Originating Document ■ 


Date Receiyfid 
From 


(Name of Contributor) 


(Address of Contributor) 


By 






To Be Returned d Yes 
Receipt Given D 

Grand Juiy Material - Disseminate Only Pursuant to Rule 6 (e) 
Federal Rules of Criminal Procedure 

□ Yes 

Federal Taxp^cr Information (FTI) 
n Yes 

Tide: 


Reference; 


(Communication Enclosing M^erial) 


ngtirrintinn;_ -Ht Original notes re mt| 

Tview of 

L'-rrtvo ^pjii W. ' 

h\iu7) ^ 



b6 -1 
b7C -1 

b3 -2 
b7E -3 


b6 -2 
b7C -2 


b6 -1 
b7C -1 


b6 -2 
b7C -2 


FBI(19-cv-1495)-i2 










b6 -1 
b7C - 



all IMTOF^MATICli COHTJ-.ItlE' 
HEREIN IS UNILASSiriEl: 

LATE 02-13-201C BY 60324 CC 



2idnn.Qana(i.Ju.._ ...did . irf..,..rte.o t.( jigin u)haf Jii...saLcLJ.e. 

_..l'Sid.„pass.vu(2rd ...rf. 'fjfck-.. _ 

.ait. CitCkj ..Smt.d>a:is ..^aLjn : ■ 

.^r£..>apersH.s-kps /s-feWsd ^ na m^ s erf _ 

.. .s .l.as±_.di...Qli^ is. _ 

_ iiiii!(L\...^e.cu.n.iiJ^ . hati .S.iipers.isirti/_ _■ 
















(City and State) 


To Be Returned D Yes 

Receipt Given D ET 

Grand Jury Material - Disseminate Ori^ 
Federal Rules of C rimin al Procedure 

□ Yes "Q 

Federal Taxpayer Information (^I) 

□ Yes ^ 

Title; 


•^No 

No 

Oii^'l^irsuant 


it to Rule 6 (e) 



Reference: 


(Communicatioii Enclosing Material) 






blC 
b3 - 


b7E -3 


b6 -2 
b7C -2 


b6 -2 
b7C -2 
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rilL IMFCWS.IICM CGL'TiaiNEZ 
MEREIH IS UHCLASSIEIED 

02-1O-2C10 3Y i0324 US 


FD-340(7-19-C0) 


Universal Case File Number 


Field Offlce Acquiring Evidence 
Serial if of Originating Document 




Date Rfegfeivfcd 


Froij 




(Name of Contributor) 

Tko V\pu) Hcrt Tima/} 

(Address of Contributor) 



b7C -1 

b3 -2 I 
b7E -3 I 


b6 -2 
b7C -2 


By 




b6 -1 
b7C -1 


To Be Returned D Yes Q^o 

Receipt Given D 0^o 

Grand Jury Material - Disseminate Only Pursuant to Rule 6 (e) 

Federal Rules of Criminal Procedure 

□ Yes DTio 

Federal Taxpayer Infonnation (FTI) 

D Yes No 

Title: 


Reference: 


(Communication Enclosing Material) 


Descrip tion: -B" Original notes re interview of 
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ALL iriFORL'LlIICM LCtTIAIl'TEL 
HEREIN 13 UNELA3SIFIEL i 
DATE C'D-lo-DOlO 3Y 20324 UD 



b6 -2 
blC -2 

b6 -1 
b7c 


Al<bJp2. 


.fJ&YO TiM65 



.Kfi)gw ^ SAi'o /T" A//tS 


b7E -1 



- 18 . " 

























FD-340 (7-19-00) 


ALL INFCP^STICN CCHTAIUE:' 
sFREIlT IS U1ISLAS3IFIEI 
:,ATE C'2-13-201G BY 50324 CC 


UaiversitI C&se File Number 


FMd Office Acquiring Evidence 
Serial # of Originating Document 
Date it«w^tvpd 


TW 


From 


rA{n\n'X 


(Name of Contribu tor) 




(Address of Coatribitor) 


b6 -1 
b7C -I 
b3 -2 I 
b7E -3 


b6 -2 
b7C -2 


By 


b6 -1 
b7C -1 


To Be Returned D Yes —S^No 

Receipt (jiven O ^.D—Np 

Grand Jury Material - Disseminate Only Pursuant to Rule 6 (e) 

Federal Rules of Criminal Procedure 

□ Yes 

Federal Taxpayer Infoimatioa (FTI) 

d Yes d’ No 

Title: 


Reference: 


(Communication Enclosing Material) 


Des 


TKii- .IHxlD 



1/W/3 
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ALL INFCKLATICII CCNTAIITED 
HEREIN IS UNCLASSIEIEI 
LATE 02-13-2010 Ei g'0324 UC 


b6 -1| 
b7C -1 


(LNG), 05:48 PM 3/12/02 -0500, Re: Information on ids 


b6 -2,-6 
■b7C -2,-6 


To 
From 


om:|[ 


](LNG)"f 


Subject: Re: Information on ids 
Co: 

Bcc: 

Attached: 


b6 -6| 

- ' b7C -6 

Could you determine for me whether any other IDs were created on the Times account between 2/17 and 
2/28? I'd like to see a list of them if you can do it. 

I'll probably have you kill any that! cannot readily identify. 

Thank you. 


b6 -2 I 
b7C -2 















iLL INFCRb&iTICN CCiriAIHEC 
HEREIN IS UHCLiiSSIEIED 
DATE 02-13-2010 3Y 60324 UC 
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(Ci^ and State) 


By 


To Be Returned d Yes Q'^o 

Receipt Given EH O' No 

Grand Jury Material - Dissemin^e Only Pursuant to Rtde 6 (e) 

Federal Rules of Criminal Procedure 

□ Yes 0"No 

Federal Taxpayer Infoimation (FTI) 

□ Yes Q^No 


Title: 




b6 -1 
b7C - 

b3 -2 
b7E -3 


bb -2 
b7C -2 


b6 -2 
b7C -2 
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1_ 

"ClllLpJ 

hky 


- L 


S^&b'CQ-- 


b 6 -2 

-b7c 


H 



' d.Arf^ y-r 



JWilA/i. 


CwiAuirtak Ai/Yn g/O 



I _AIL IMFCSLLATICM 2 CITIAIHE; 

g(1 /lYi.. -fU . 


b 6 - 1 | 
b 7 C -: 






FBI(19-cv-1495)-27 




















FD-340 (7-19-00) 


Universal Case File Number 



Field Office Acquiring Evidence 




Serial if of Ori^ating Document 


Date Received *~f 

F„m U)('\S - KiftCU£> 


(Name of Contribirtor) 


(Address of Contributor) 


(City and State) 


To Be Returned □ Yes [Q^o 

Receipt Given d {n--d?o 

Grand Jury Material - Disseminate Only Pursuant to Rule 6 (e) 

Federal Rules of Criminal Procedure 

r~l Yes dL-d^o 

Federal Taxpayer Information (FTI) 

□ Yes S^No 


ALL Il'IFCRt-STION C2NTAI?IE:' 
HEREIN IS millASSUIEI 
DATE 02-15-2010 Ei 50321 UZ 


Reference: 


PLEASE DO NOT REMOVE 

mtTTt? c»T TT»_Tjn/v>f 


Description: 13 Original notes re interriew of 

cenfAiniYia Lfluo -ft 


b3 -2 
b7E -3 



bb -1 
b7C -1 


b6 -1 I 
b7C -1 


b3 -2 
b7E -3 




FBI(19-cv-1495)-29 






b6 -ll 
b7C -1 


ML IHFCK-LMILIT CCHTAIHED 

HEREIN IS ITNELRSSIFISE _ 

ERIE C'E-IS-EC'IO EY 5:'S24 

DOC LAB NOTE 

DOCUMENT(S) 
CANNOT 
BE SCANNED 

DESCRIPTION: 


Disk 
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Fr>-3<J0 (7-19-GO) 


kLl IHFC-SMS.TICM CCtriAIME: 
HEREIM 13 Ul'TCLASSIFIEE 
CiTE 02-13-2010 3Y 60324 UC 


Universal Case FUe Number 


FieM OiSIce Acquiring Evidence 
Serial # of Originating Bocument 
Bate Received 


AJV 





To Be Returned D Yes Cil''No 

Receipt Given O 

Grand Jury Material - Disseminate Only Pursuant to Rule 6 (e) 
Federal Rules of Criminal Procedure 

□ Yes [^No 

Federal Taxpayer Information (FTI) 

□ Yes S' No 


bo -1 
b7C -1 


Title: 


b6 

hir -1 


b3 -2 
b7E -3 


I 


Reference: 


(Communication Enclosing Material) 


Bescription: Q Original notes re interview of » 

ra./a.f'iAnr 

'/n i2,>yiilL// V^/5->y> _ 


b6 -3 
b7C -3 
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{0i/2G/1998) 


ALL IHFCBLLATICN 
HEREIN IS LTN;la; 
DATE 02-10-2010 


CCITTAINED 
;SI“IE2 
EY 5C'S24 rjE 


FEDERAL BUREAU OF INVESTIGATION 


b6 -ll 
b7C -1 


Precedence: ROUTINE Date: 03/06/2002 

To: New York 


From: New York 

Squad C-37 
Contact: SA 



Title: LAMO, ADRIAN 


b6 -1 
b7C -1 


b3 -2 I 
b7E -3 



Synopsis: Request to open sub-files and change of title. 

Details: Writer requests the following sub-files to be opened in 
above referenced case; 


Also, please open the following Sub files: 

,_ ^ _ 


Writer requests Title of Case be changed to 

ADRIAN LAMO 

New York Times-Victim; 

Computer Intrusion-Information Systems 
00:NY 

♦♦ 


b3 -2 I 
b7E -3; 


.- ----I 















(Rev. 08-28-2000) 


I .\LL I I'frc Fe-iAT I oir cont.^. i>ie Z' 

HEREIN IS ITNIlASSiriEI 
CATE 'j2-13-2010 EY 60324 UC 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: PRIORITY 


Date; 03/14/2002 


To; All Field Offices 


Attn; NIPC SSA 


From; New York 

Squad C-37 
Contact; SA 


b6 -1 
b7C -1 


Approved By; 
Drafted By; 
Case ID #; r 


Title; ADRIAN LAMO; ^ 

New York Times-Victim; / - 

Computer Intrusion; 4 V 

00: NY 

Synopsis; Canvass all FBI Offices for positive information / 
regarding ADRIAN LAMO. / 

Details; In February 2002, LAMO discovered several misconfigured 
proxy servers acting as doorways between the public Internet and 
the New York Times’ private intranet. LAMO utilized the proxy 
servers to gain access to the New York Times network. Once on 
the network, LAMO cracked a password for a userid with supervisor 
rights. Utilizing this userid he was able to broaden his access 
as well as perform certain functions within the network. LAMO 
had access to individuals names and Social Security Numbers. 

LAMO informed The New York Times of the security vulnerability 
through SECURITYFOCUS.COM. 



Lffl^O has committed compter intrusi^ans int^several^ 
other colorations such as MICROSC^T, AQKeXCIJE^^ME 

and YAhQ. LAMP uses a ‘‘P:^2^^ur7£^’'’"'ta?^earc]T2tin&“u;-n:g^h%t''‘fbr 
proxy^s^rv^s that are misconf igured. -Once he obtaihs this 
information, he configures his browser to appear and utilize the 
proxy server as his own. Once the computer intrusion occurs, 

LAMO searches the network to determine if there are any other 
vulnerabilities and in the case of The New York Times, left a 
backdoor so that he could enter at another time undetected. 

Each time LAMO commits a computer intrusion on a high 
profile organization he reports the vunerability and intrusion to 
the media causing a distrust of the company’s clients. The above 
mentioned corporations have lost significant money and trust of 
their clients. 


FBI(19-cv-1495)-36 












To: 

Re: 


All Field Office s ■From; New York 

I 02!14/.2 ij 0-2 


# 

b3 -2 
b7E -3 


LAMO has ties to former hacker 
arrested by the FBI for computer intrusi 
charges, 


_I who was 

3.^h'a’l*=-s ecur i t y 


b6 -3 
b7C -3 


The New York Office and the Southern District of New 
York are currently investigating LAMO and his computer 
intrusions. 



i 


2 


FBI(19-cv-1495)-37 




To: 
Re: 


All Field Offices From: New York 

03/14/2002 


LEAD (s}: 

Set Lead 1: 

ALL RECEIVING OFFICES 


It is requested to query logical sources and report only 
positive intelligence regarding known or potential actions of 
ADRIAN LAMP. Positive intellig ence should be directed to SA 

I b6 - 

b7C 


♦ ♦ 


3 


b3 -21 
b7E -3 


1 

-1 
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(01/26/1998) 


ilLL iurcp^aiictl CClTTAIirED 
:-JER£IK IS UnCLASSiriED 
lATE 02-13-2010 BY <50324 UO 


b6 -1 
b7C -1 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 


Date: 03/14/2002 


To: New York 


From: New York 

Squad C-37 
Contact: SA 

Approved By: 

Drafted By; 

Case ID #: 


b6 -1 
b7C -1 




Ti 11 

^*New"'i^di?K Times-Victim; 
Comwter Intrusion; 
Odim 


Synopsis: Request 


b3 -2 
b7E -3 




b7E -4 


Details; In February 2002, LAMO discovered several misconfigured 
proxy servers acting as doorways between the public Internet and 
the New York Times’ private intranet. LAMO utilized the proxy 
servers to gain access to the New York Times’ network. Once on 
the network, LAMO cracked a password for a userid with supervisor 
rights. Utilizing this userid he was able to broaden his access 
as well as perform certain functions within the network. LAMO 
had access to individuals’ names and Social Security Numbers. 

LAMO informed The New York Times of the security vulnerability 
through SECURITYFOCUS.COM. 

LAMO has committed computer intrusions into several 
other corporations such as WORLDCOM.,,.,MICpOS^T,^^-AQL^^^^^^ 
and YAHOO^., LAMO uses a “Proxy Hunter”"to searcK' tne'‘'lht:'«Ti'§f?®’for 
proxj^'^se^ers that are misconfigured. Once he obtains this 
information, he configures his browser to appear and utilize the 
proxy server as his own. Once the computer intrusion occurs, 

LAMO searches the network to determine if there are any other 
vulnerabilities and in the case of The New York Times, left a 
backdoor so that he could enter at another time undetected. 

Each time LAMO commits a computer intrusion on a high 
profile organization he reports the venerability and intrusion to 
the media causing a distrust of the company’s clients. The above 
mentioned corporations have lost significant money and trust of 
their clients. 


FBI(19-cv-1495H0 







New York 


03/07/2002 


b3 -2 
b7E -3 


LAMO has ties to former hacker _|, who was 

arrested by the FBI for computer intrusion/national security b6 -3,-4 
charges. b7c -3,-4 

_ Writ er contacted Assistant United States Attorney 

|“SDNY who concurred with the investigation. 


FBI(19-cv-1495)-41 











To: 
'^Re: 



Npw Vo-rk_•R'-rom» 


New York 

VBSfv^ciSg) 03/07/2002 



b3 -2 
b7E -3 


LEAD(s> : 

Set Lead 1: 

NEW YORK 

AT NEW YORK 

I I b7E -4 


♦♦ 
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b3 -2 
b7E -3 


<R^. 08-28-2000) 


ALL IMFCK-'J)TIG1T CCITTAIIIEG 
liERGIK IS UtllLASSIFIED i 
IAIE: 02-13-2010 BY clO'324 id 



FEDERAL BUREAU OF INVESTIGATION 


b6 -1 I 
b7C -1 


Precedence: ROUTINE 
To: New York 


From: New York 

Squad C-37 

Contact: 


Date: 03/07/2002 


Attn; tx?C/ SSA 

sa | 


Approved By; 
Drafted By: 
Case ID #; 



b6 -1 
b7C -1 


ckk 




b3 -2 
b7E -3 


Title: LAMO, ADRIAN 


Synopsis; Backgound information on subject and associates. 
Enclosures; Copy of article ‘He Hacks by Day, Squats by night’. 


Details: 

conduct 


On 03/06/2002, SA 


requested the writer to ^ b6 -i ,-4 
a logical search on Adrina Lamo. Mr. Lamo has a history b7c -i,-4 
of intruding into corporate systems: Yahoo (09/01); WorldCom 
(10/01) and The New York Times (03/02) . According to ACS no 
ot her fiel d office has initiated a case on this matter. Hence, 


SA 


provided IRS [_ 


with an article 


(http://wired.eom/news/0,1294,50811,00 .html) 
of information on Adrian Lamo. 


found in Wired News 
as a starting source 


The followi ng names were lo cated in the above 


referenced article by| 


1 writer for WiredNews: 

b6 -5 

(1)Adrian Lamo (2)1 

i(3r” 

(4)1 

^ b7C -5 

1^ 

1(5) 

(6) 


1 and (7)1 

b7E -2 
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ALL IHFCRVATIDIT CCLITAIHED 
HEREIN IS UlTILASSIFIEI 
H.AIE 02-13-2010 EY 50324 rd 




FBI(19-cv-1495)-45 
















b6 -l| 
b7C -1 


(Rev. 08-28-2000) 

V- 


ALL IHFCRVATIDIT CCLITAIHED 
HEREIN IS UlTILASSIFIEI 
H.AIE 02-13-2010 EY 50324 rjc 



FEDERAL BUREAU OF INVESTIGATION 


Precedence: PRIORITY 

To: New York 


Date: 04/16/2002 


Attn: SA 


Squad C-37 


From: Washington Field 

NS-18 / N orthern Virginia Resident Agency 
Contact: 


Approved By: 
Drafted By: 
Case ID #; 


| : 




Title: ADRIAN LAMO; 

New York Times-Victim; 
Computer Intrusion; 

00: NY 

Synopsis: Lead covered at WFO.' 
Reference1 




Administrative: Referen ce March 22, 2002 em ail sent to SSA 

from SSA 


Details: Referenced communication requested WFO/NIPC query 
logical sources and report only positive intelligence 
regarding known or potential actions of ADRIAN L^O. 


SSA 


|]sen'C SSA 


via 


email, informatio n advisi ng that Ameritech/SBC was a victim of 
Adrian Lamo. SSA I I additionally stated that he believes 

that Ameritech/SBC spoke with FBI Dallas concerning this. 

All other logical sources were queried, however, no 
positive information was provided. 

Based on the above investigation, and unless advised 
by New York Division, WFO considers this lead covered. No 
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Washington Field 
04/16/2002 
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LEAD(s} : 

Set Lead 1: 

NEW YORK 

AT NEW YORK, MY 
Read and clear. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 

To: New York 

From: New York 

C-37 

Contact: |_ 

Approved By: | 

Drafted By: 


Case ID #: 


Title: 

Synopsis: Use of 

Internet access. 


Date: 03/08/2002 



idjjig) 


to provide 


Details; On 03/08/02 writer provided SA 


with 
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to the Internet through the 


SA|_[was able to begin an investigation on subject 

ADRIAN LAMO. LAMO has comitted computer intrusions into several 
corporations such as WORLDCOM, MICROSOFT, AOL and EXCITE@HOME. 
LMO posts his "accomplishments” to the media and on 

SECURITYFOCUS.COM web site. To help SA | p nqo lna _ 

investigati on. writer will continue to provide use of] 
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WlTH.T'-'T_ 
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Automated Serial Permanent Charge~Out 
FD-5a (1-5-94) 

Date: 05/20/02 Time: 09:18 
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Description of Document: 

Type : FD302 
Date : 03/19/02 
To : WASHINGTON FIELD 
From : NEW YORK 

Topic; ON 3-19-02, A COMMUNICATION VIA FAX WAS RECEIVED IN RESPONSE 
Reason for Permanent Charge-Out: ^ 

WRONG FILE NUMBER 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence; ROUTINE 


Date; 04/19/2002 


To; New York 


Attn; Scfuad C-37 

saI- 


From; Oklahoma City 
Squad 8 
Contact; SA 


Approved By; 
Drafted By; 



Case ID 
Title; 


# 


(Fgndiijg)-] 


ADRIAN LAMO; 

New York Times - Victim; 
Computer Intrusion; 

00;NY 
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Synopsis; To cover lead. 


Reference; 


Enclosure (s) ; 1) One original and one copy of a source 302 

referencing Lamo; - 

- 1 2) One lA envelope containing 


Details; In response to NY Division lead, OC Division queried 
all sources for information on Lamo. The results of the inquiry 
are located in the enclosures. 

OC Division considers this lead completed. 
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LEAD(s): 

Set Lead It (Adm) 

NEW YORK 

AT NEW YORK, NY 
Read and clear. 
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Date of transcription 05 / 09/2002 



teiepJLOi5§*^utt25er"('9T2) 729-7108 was telephonicaiiy 
^cted b^^mterviewing agent. After being advised as to the 
?f^nhihv L ^the in terviewing agent and the purpose of the 

provided the following information: 


b6 -2 
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. -rjP'-' 

’'November 2001. 


individual by the name of _ ^RIAN^ 


is aware of an _ 

o nacjced into the computer network of WORLDCOM iiT 






that their 


SiiCinLDCOM' s Public Relations Department was contacted by 
I S^c ^itv Foci^ is. and informed that LAMO had hacked 

and his engineers were able to confirm 
^into their network. The engineers, 
^I^nternal naba Mcai-wn-rV n-n^ with 


>ecur, 

nEb-'^hefFlTetworl^ 


ir ne^c 
ir wa ^ 2 
_anc 


a n ihcrusroi 
and 


a meinB^''’Sf~'Wb^LbCOM'''^L'egdl“Department 
telephon^call between themselves and LAMOT 
with internal screen captures that he had obtaii 


far ranged a 
?bwded WORLDCOM 
when he had 

hacked into their network. The screen captures^co ntained 
information pertaining to their internal web-sites. stated 

that LAMO gained unauthorized access to their networks to obtain 
the screen captures and any other information. 

LAMO told WORLDCOM employee's that he gained access to 
their internal network through a misconfigured proxy server. LAMO 
exploited Port 80 on the proxy server and once he gained access he 
was able to view confidential information on WORLDCOM's internal 
network. LAMO admitted to the WORLDCOM employees that he accessed 
their network from KINKOS. LAMO informed WORLDCOM about the 
intrusions months after he had first intruded. The engineers 
immediately reconfigured the proxy server to prevent against future 
exploits of this kind. 



said that WORLDCOM suffered a significant 
financial loss due to the unauthorized intrusion by LAMO. 


believes that LAMO was looking for publicity not monetary 'rewaras 
for his hacking. The publicity that WORLDCOM received because of 
the intrusion was detrimental to WORLDCOM's business. 
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Investigation on 03/14/02 at New York, NY_ (telephonicallv ) 

_ b6 -1 


File # 

by 


Date dictated 03/17/2002 b7C -1 

SA 


1_ 

b7E -3 



This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 

it and its contents are not to be distributed outside your agency. FBI( 19-CV" 1495)-60 
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Continuation of FD-302 of 
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.On 03/14/02 Page 2 


with 

in California 


stated that a WORLDCOM investigator was familiar 


the past, the investigator had arrested 


for hacking into unauthorized systems. 


FBI(ig-cv-1495)-61 

































FBI(19-cv-1495)-66 








FD-302(Rev. 10-6-95) 


b6 -Ij 
b7C -1 



LL IHrCKNlATIDN CCIJTAIHED 
EREIH IS LTlTILilSSIFISI 
AIE C'S-lS-iC'lO EY 50324 TJC 


-1 - 


FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 03/27/2002 



b6 -2 
b7C -2 


_ ] of THE NEW YORK TIMES. A:^er being advised as to the 

identities of the interviewing agents and the purpose of the 
interview,_provided the fo/lowing information: 


YORK TIMES intranet byfAURI^ 


is aware»* 0 'f^Hyh^:;. GOi^Duter in trusion into THE NEW 


gained un authorized acc^'s?'%o 
14, 2002. 


believes that 


?hei^^ 'intranet on or around 
along with /bembers of her staff reviewed the 
logs of their weo servers and/proxy servers and from this they were'ii 
able to determine that LAMO Mad gained unauthorized entyy to their 
intranet through one (1) of /iheir proxy serv ers. The IP addr esses 


of the orofiiv serv ers that were reviewed were 


and 




7 
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:lAMO was able to access the newsroom's intranet homepage. 
Through this homepage he was able to add himself and view the data 


reviewed the database and w as able t o view 

is 


b6 -2 
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the unauthorized entries made by LAMO. At this tiraej 
unable to determine if LAMO downloaded any information trora their 
intranet. 


_[provided the interviewing agents with a copy of 

emails and analysi s report^ prepared regarding the computer 


b6 -2 
b7C -2 


intrusion of LAMO. 
be secured by THE ] 


JEW YORK" 


Stated that the logs and database will 
TIMES. 


Investigation on 03/26/2002 at New York, NY 


File # 


Date dictated 03/27/2002 

by _ 

SA 
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This document contains neither recommendations nor conclusions of the FBI. 
it and its contents are not to be distributed outside your agency. 


It is the property of the FBI and is loaned to your agency; 
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105:55 PM 2/28/02 -0500, w eb logs 

X-Sender: | 1 

X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 

Date: Thu, 28 Feb 2002 17:55:35 -0500 

- 

Fronrj_ f - 

Subject: web logs 


I _ _n—— __found indications that our 

[lacKer Tnena was in the system as early as February 14 and ag mr.pnth/ FoKmarx/ or 
this by 

1 . . Ih iere's the summery of hif.g nn fhp tPnhnwA/Q Qon'‘=»r. 

Times were originaliy logged in Greenwich Mean Time; I’ve converted them to Eastern by 
subtracting five hours. 

Thursday, Feb. 14 58 hits between 1:36 a.m. and 2:24 a.m. 

Wednesday, Feb. 20 326 hits between 7:44 p.m. and 10:41 p.m. 

Thursday, Feb. 21 65 hits between 10:06 a.m. and 10:55 a.m. 

Monday, Feb. 25 98 hits between 3:00 p.m. and 3:45 p.m. 

Tuesday, Feb. 26 30 hits between 8:00 a.m. and 8:15 a.m. 

A "hit'Us either a "pet" or a "post". A "get" is a request for information, or a read. A "post" is a 
’write". On_logs, there are 441 gets and 166 posts. 
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I ne New York Times 
Seventh Floor, 229 West 43rd Street 
New Y ork, NY 10036-39 59 
Phone: I I Pager: I 


Fax: 212-556-1636 
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Fro m! I ^ 

Subject: FW: Change in Stafflist 

Date: Tue, 26 Mar 2002 10:59:33 -0500 ^ 

X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) 

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 ^ \'rN^ ^ '~Kv^ 

Importance: Normal PnIOjC^!^^ 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 03 /27/2002 


I _Public Relations, THE 

NEW YORK HM ES^22.9^W.esb.,.A3rd.,S.tneee::-.lJew~?m--]?7;nsr^“n;n^^ 
nuntfa ^_ ^ wa& interviewed at her^'placa of ^mni nvm<=nt. 

Also pr>es^nt during the interview was| 

\ THE NEW YORK TIMEST After being advised as to 
the ident ities of the interviewing a^nts and the purpose of the 
interview, provided the follpWing information: 


- ^ebnuaiB^*.2.6. 

fbf'^ECUklTYFOCUS 

rl;iah-»~an*-i'nda’V>'Mua“l'‘4iad^ 

-n-r a fommi=»nt- f-rr.m them. 

and <email 

jigarT^a i i"i ng~the areas 


_Ls^as connected by f 

|.>e6rtu [ _] informed THE NEW YORK TIMES 

fal‘hed''''access to their intranet and asked 


b6 -2, 
b7C -2 


necessary to cor 


r-aS'iOn. 


so she contacteq_ 

that the hacker, ADRIAN j. 
and that LAMO wouf^’^^S^^felS 
contacted him directly^ 
number (415) 505-4225./T 


Ao' confij;f!f'’^that an i ntrusion had occurred 
p^When she contacted] jhe told her 

liAMO had gained access into their intranet 
problem if THE NEW YORK TIMES 
was provided LAMO's cell phone 
never spoke with LAMO directly. 


b6 -2, 
^b7C -2 



receivjed a telephone call from the WASHINGTON POST 
and MSNBC.com and was 'informed that IjAMO had provided them with 
screen shots of their intranet and she was asked to comment. One 
of the reporters who called her told her that LAMO informed them 
that he had been in their intranet for 10 days prior to informing 
them of the intrusion. 


I [cemented that] called her yesterday "for an 

update". ! I told her that he heard a rumor from TECHTV that c 

THE NEW YO RK TIMES w as going to prose cute Ly ^O for his unauthorized 
intrusion. wanted to know if had reported it as a 

criminal act to the Federal Bureau of investigation. 


OPED page, 


commented that LAMO ruined the reputation of their 


Investigation on 03/26/2002' at NeW York, NY 


SA 
by SA 


Date dictated .03/27/2002 
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Continuation of FD-302 of 


,On 03/26/2002 ,Page 



provided the interviewing agents with various 
paperwork regarding her discussions and investigation into the 
unauthorized intrusion by LAMO. 
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To: 

cc: 


Subject: Reporter call re: alleged security breach w/NYT Co. intranet 


1 received a call from 
{www.securityfocus.com) 


a reporter with Security Focus, an online publication. 


I he was contacted by a hacker of "known reliability" who said he was able to gain access 

to The New York Times Company’s intranet (and extranet, it seems). 


According to the reporter, this hacker-said he was abie to download the social security numbers of 
all Times employees, as well as personal files/info on 3,000 op-ed contributors. He also accessed 
credit card information for home delivery subscribers. 

He said he was able to get thru via an open proxy server. 


Please give me a call to let me know 

1) if this is possible 

2) if we can track access records to see if In fact our files were accessed by this person and 

3) how we'd like to respond. 


The reporter's on deadline for today and has asked us to comment. Supposedly this is a "friendly" 
hacker who in the past has alerted companies to these types of security issues and helped resolve 
them (not as a paid consultant but to be "helpful" according to the reporter). 


thanks! 
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To: 

cc: 


Subject: Re: IP addresses for alleged security breach — NYT intranet 


now has this information and is examining her proxy server for more information. 


b6 -2 I 
b7C -2 


I_ I To: 

02/26/02 01:29 PM 

cc: 


Subject: (P addresses for alleged security breach - NYT intranet 

i called back to clarify where this information was accessed so we could nail this down. Reporter 
also gave me the IP addresses for the proxy servers that were accessed. 


- 1 think it's iimited to the NYT newspaper - the social security numbers were for newspaper 
employees and op-ed columnists. 

-I m not sure who serves the home delivery Web site, but the hacker gave the reporter a log that 
had a chronological file of when print subscribers had stopped & started delivery, or complained etc 

here are the iP addresses: 


I’ll call to followup, thanks. 


lllliiiniimif 


02/26/2002 01:11 PM 
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To: 

cc: 
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02/26/2002 03:15 PM 


To: 

cc: 

Subject: 


b6 -1, -2,-3 I 
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I called back the reporteb P | to find out his deadline. He is filing by 4 PM EST today, so weTl 

^ i _I .1 •> 


need to draft a holding statement by then. 


—[also said the hacker was fine with us to contacting him; described him as an unusual, 
"friendly hacker" who wants to help. !'m not sure how you've handled this in the past but here's 
his info: 

Adrian Lamo 415-505-4225 


1 did a Google search on Lamo and turned up recent, similar articles by the same publication & 
reporter of today's query, FYI: 

Yahoo! News hacked 

Hacker tinkers with news articles undetected. 

By Kevin Poulsen 

http://oniine.securityfocus.com/news/254 
Sep 18 2001 4:25PM PT 


in a development that exposes grave risks of news manipulation in a time of crisis, a hacker 
demonstrated Tuesday that 

he could rewrite the text of Yahoo! News articles at will, apparently using nothing more than a 
web browser and an 

easily-obtained Internet address. 


Yahoo! News, which learned of the hack from SecurityPocus, says it has closed the security hole 
that allowed 

20-year-old hacker Adrian Lamo to access the portal's web-based production tools Tuesday 
morning, and modify an 

August 23rd news story about Dmitry Sklyarov, a Russian computer programmer facing federal 
criminal charges under 

the controversial Digital Millennium Copyright Act (DMCA). 

Lamo's Adventures in WorldCom 

The helpful hacker strikes again, this time finding a route into the communications company's 
private Web, 

then telling its security staff all about it. Who is Adrian Lamo, why does he do this, and would 
his' life be the 

same if Kinkos kicked him out? 

By Kevin Poulsen 

Dec 5 2001 10:46AM PT 

http://onIine.securityfocus.com/news/296 ' ' 
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To: 


cc: 


Subject: response to first press inquiry 

am drafting the response to the second query; will circulate shortly. 
-Forwarded by 


on 02/26/2002 04:13 PM ■ 


02/26/2002 04:01 PM 


b6 -2,-3 
b7C -2,-3 


I_ 

cc; 

Subject: NYT issue 


I b6 -2,-3| 

b7C -2,-3 

I realize you're on deadline for 4 PM EST so here’s a statement: 

The New York Times Company takes the security of its network very seriously and we are actively 
investigating a potential security breach. Based on the results of this investigation we will take 
appropriate steps to ensure the security of our network." 


_fR 

The New York Times Company 
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02/26/2002 04:1 6 PM ~ 


To: 

cc: 


Subject: second press query: NYT intranet exposure 


let's talk more about pulling the site(sl down. Mv connem Ir that ilT 


T 


b6 -2 1 
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This reporter is filing tonight too, and word gets around quickly in the hacker community. Don't 
want more folks hitting the sites. 

if it's not secure, and personal info is out there, we may want to err on the side of caution until 
we’re sure. 


Forwarded 


by 


bn 02/26/2002 04:09 PM- 

on 02/26/2002 03:57:28 PM 


b6 -2 1 
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I_ 

Subject NYT intranet exposure 


b6 -2 1 

'-' b7C -2 

A source of mine tells me that the NYT Corporate Intranet 
was exposed via a rogue proxy on the company's netblock. 

He has sent me detailed screen shots and information. 

I'm writing to solicit any general comments the company 
is prepared to make on this development. I have also included 
some specific questions below, if you'd care to address them. 

Has the NYT disabled access to the sites in question, and 
had anyone there previously expressed concern that such 
an exposure might come to pass? 

How long has remote access been available through this 
network? Did the Times take any steps in particular to prevent 
the sort of high-profile defacement left in 1998 by the group 
"Hackers for Girlies"? 

Thanks in advance for your help. This is for a story I’m filing 
this afternoon. I'll call you as well. 

Sincerely, 
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02/26/2002 07:32 PM 


To: 

cc: 

Subject: thoughts about calling the hacker tomorrow? WorldCom did... 

here’s the excerpt from the article I sent earlier. WorldCom worked actively with "the kid" to fix the 
wholes...he also contact them through SecurityFocus.com. 

! think a techie to techie call would be fine, he seems pretty helpful from this article. 

And working with him would be a way to minimize the situation like WorldCom did below. let me 
know what you want to do... 

http://online.securityfocus.com/news/296 
Lamo's Adventures in WorldCom 

• The Helpful Hacker 

“Vint Cerf recently did a public service announcement in which, generally speaking, the message 
was it would be really 

great if the hacker community went back to its roots," says WorldCom spokesperson Jennifer 
Baker. "[ guess that from 

a general industry standpoint, Adrian seems to be doing just that... At that end of the day, what 
he did wasn’t 

destructive or harmful." 

Over a month after the Kinkos visit, Lamo has come clean with WorldCom, and the company is 
grateful. The hacker 

contacted the commumcations leviathan through SecurityFocus on Friday. Saturday morning, just 
as he crashed after 

an all-night hacking session on "an unrelated project," his cell phone rang. There were three 
WorldCom managers on 

the line, wondering of it was true that Lamo had cracked their global corporate Intranet, and 
what they needed to do to 
fix it. 

"I made it clear very quickly that all I was interested in doing was make it as positive an 
experience as possible for 

everyone," says Lamo. True to his word, the hacker would spend the rest of the weekend on 
conference calls and in 

email, bleary briefing the company on his months of illicit exploration. On Tuesday, the 
WorldCom turned to Lamo to 

give them a final biil of health. After a scan of their address space, he pronounced that 
WorldCom had successfully 
closed the proxy hole. 

"What we discovered when we investigated Adrian's issues, was that there was a router with an 
inappropriate filter on it," 

says Baker. "In the end it was a human error, and we're really happy that he brought it to our 
attention... We really 


b6 -1, -2 I 
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appreciate his efforts to work with us" 


That instant willingness to cooperate, even to sign a non-disclosure agreement, with no strings 
attached is part of what's 

kept Lamo out of legal trouble, for what are indisputably violations of federal computer crime 
law. In May, when the 

hacker used an open proxy to crack ailing Excite@Home's internal Web, adding himself to the 
corporate directory and 

finding a route to millions of subscribers' records, he walked into the company's Redwood City, 
Calif, headquarters to 

brief network administrators in person, and he didn't leave before helping them plug the hole. 
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To: 

cc: 

Subject: some hints to the WorldCom hacking that might apply to us 
from that same article. http://online.securityfocLis.com/news/296 
did he do the same on NYT Co's intranet? 

The Problem with Proxies 

As he has with other networks, Lamo found the keys to World Corn's kingdom in open Internet 
proxy servers, in normal 

operation, a proxy server is a dedicated machine that sits between a local network and the 
outside world, passing 

internal surfers’ Web requests out to the Internet, often caching the results to speed up 
subsequent visits to the same 

URL 

But it's easy and common for administrators to inadvertently misconfigure proxy servers, 
allowing anyone on the Internet 

to channel through them. Sometimes companies and organizations even unknowingly run 
proxies. Hackers and 

privacy-conscious netizens catalog these open proxies, using them to anonymize their surfing. 
Lamo has perfected a 

different use: jumping through them to pose as a node on a company’s internal network. 

Using a common hacker tool called "Proxy Hunter," Lamo scanned WorldCom's corporate 
Internet address space, and 

quickly found five open proxies ~ one of them hiding in plain site at wireless.wcom.com. From 
there, he needed only to 

configure his browser to use one of the proxies, and he could surf WorldCom's private network 
as an employee. 

Once inside, he found other layers of security protecting various intranet sites from employees 
who might exceed their 

authorized access. But after a couple of months of sporadic exploring, Lamo has made 
substantial inroads. He can use 

WorldCom human resources system to list names and matching social security numbers for any 
or all of the company's 

86,000 employees. With this information, all he needs is a birth date {he swears by 
anybirthday.com) and he can reset 

an employee's password and access his or her payroll records, including information like their 
salary, emergency 

contacts, and direct deposit instructions, complete with bank account numbers. He could even 
modify the employee's 

direct deposit bank account, and divert a paycheck to his own account, if he wanted to. "A iot of 
people would be willing 

to blow town for a couple hundred thousand dollars," says Lamo. 
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He has some access to customer records, too, primarily subscribers to 
WoridCom’s data services. He can browse notes and circuit diagrams for 

AOL’s 

new T1 cross border iink between its Virginia offices and AOL Mexico, and a 
detaiied engineering order for a connection between the 
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